Legal claims defining the scope of protection, as filed with the USPTO.
1. A method, comprising: receiving a request for a secure session at a destination network address, wherein the destination network address includes a first predefined portion that identifies a hostname, wherein the first predefined portion is less than all of the destination network address; identifying the hostname from the first predefined portion of the destination network address; participating in a secure session negotiation including returning a digital certificate for the identified hostname; receiving an indication that a hostname is experiencing traffic indicative of an attack; assigning a second network address for the hostname, wherein the assigned second network address includes a second predefined portion that identifies that the hostname is experiencing traffic indicative of an attack; and updating one or more Domain Name System (DNS) records such that a DNS request for the hostname returns the second network address.
2. The method of claim 1 , further comprising: receiving an encrypted request for an action to be performed on a resource that is hosted at an origin server for the hostname; determining the origin server for the hostname without decrypting the encrypted request to view a host header; and transmitting the encrypted request to the determined origin server for further processing.
3. The method of claim 1 , further comprising: receiving, at the second network address, a second request for an action to be performed on a second resource that is hosted at the origin server for the hostname; identifying, from the second predefined portion of the second network address that the hostname is experiencing traffic indicative of an attack; and taking one or more security actions in response to identifying that the hostname is experiencing traffic indicative of an attack.
4. The method of claim 3 , wherein the one or more security actions include one or more of the following: dropping packets for the second request; causing one or more challenges to be presented to a sender of the second request and processing the second request including attempting to perform the action on the second resource if the one or more challenges are successfully passed; routing packets for the second request to a dedicated data center or hardware device to process; and rate limiting packets for the second request.
5. The method of claim 1 , wherein the network address is an IPv6 address.
6. The method of claim 1 , further comprising: wherein the received request for the secure session identifies the hostname; and determining that the hostname identified in the received request matches the hostname identified from the first predefined portion of the destination network address.
7. A non-transitory machine-readable storage medium that provides instructions that, when executed by a processor, cause said processor to perform operations comprising: receiving a request for a secure session at a destination network address, wherein the destination network address includes a first predefined portion that identifies a hostname, wherein the first predefined portion is less than all of the destination network address; identifying the hostname from the first predefined portion of the destination network address; participating in a secure session negotiation including returning a digital certificate for the identified hostname; receiving an indication that a hostname is experiencing traffic indicative of an attack; assigning a second network address for the hostname, wherein the assigned second network address includes a second predefined portion that identifies that the hostname is experiencing traffic indicative of an attack; and updating one or more Domain Name System (DNS) records such that a DNS request for the hostname returns the second network address.
8. The non-transitory machine-readable storage medium of claim 7 that provides instructions that, when executed by the processor, cause the processor to further perform operations comprising: receiving an encrypted request for an action to be performed on a resource that is hosted at an origin server for the hostname; determining the origin server for the hostname without decrypting the encrypted request to view a host header; and transmitting the encrypted request to the determined origin server for further processing.
9. The non-transitory machine-readable storage medium of claim 7 that provides instructions that, when executed by the processor, cause the processor to further perform operations comprising: receiving, at the second network address, a second request for an action to be performed on a second resource that is hosted at the origin server for the hostname; identifying, from the second predefined portion of the second network address that the hostname is experiencing traffic indicative of an attack; and taking one or more security actions in response to identifying that the hostname is experiencing traffic indicative of an attack.
10. The non-transitory machine-readable storage medium of claim 9 , wherein the one or more security actions include one or more of the following: dropping packets for the second request; causing one or more challenges to be presented to a sender of the second request and processing the second request including attempting to perform the action on the second resource if the one or more challenges are successfully passed; routing packets for the second request to a dedicated data center or hardware device to process; and rate limiting packets for the second request.
11. The non-transitory machine-readable storage medium of claim 7 , wherein the network address is an IPv6 address.
12. The non-transitory machine-readable storage medium of claim 7 that provides instructions that, when executed by the processor, cause the processor to further perform operations comprising: wherein the received request for the secure session identifies the hostname; and determining that the hostname identified in the received request matches the hostname identified from the first predefined portion of the destination network address.
13. An apparatus, comprising: a processor; a non-transitory machine-readable storage medium coupled with the processor that stores instructions that, when executed by the processor, cause said processor to perform the following: receive a request for a secure session at a destination network address, wherein the destination network address includes a first predefined portion that identifies a hostname, wherein the first predefined portion is less than all of the destination network address; identify the hostname from the first predefined portion of the destination network address; participate in a secure session negotiation including returning a digital certificate for the identified hostname; receive an indication that a hostname is experiencing traffic indicative of an attack; assign a second network address for the hostname, wherein the assigned second network address includes a second predefined portion that identifies that the hostname is experiencing traffic indicative of an attack; and update one or more Domain Name System (DNS) records such that a DNS request for the hostname returns the second network address.
14. The apparatus of claim 13 , wherein the non-transitory machine-readable storage medium further stores instructions that, when executed by the processor, cause said processor to perform the following: receive an encrypted request for an action to be performed on a resource that is hosted at an origin server for the hostname; determine the origin server for the hostname without decrypting the encrypted request to view a host header; and transmit the encrypted request to the determined origin server for further processing.
15. The apparatus of claim 13 , wherein the non-transitory machine-readable storage medium further stores instructions that, when executed by the processor, cause said processor to perform the following: receive, at the second network address, a second request for an action to be performed on a second resource that is hosted at the origin server for the hostname; identify, from the second predefined portion of the second network address that the hostname is experiencing traffic indicative of an attack; and take one or more security actions in response to identifying that the hostname is experiencing traffic indicative of an attack.
16. The apparatus of claim 15 , wherein the one or more security actions include one or more of the following: drop packets for the second request; cause one or more challenges to be presented to a sender of the second request and processing the second request including attempting to perform the action on the second resource if the one or more challenges are successfully passed; route packets for the second request to a dedicated data center or hardware device to process; and rate limit packets for the second request.
17. The apparatus of claim 13 , wherein the network address is an IPv6 address.
18. The apparatus of claim 13 , wherein the non-transitory machine-readable storage medium further stores instructions that, when executed by the processor, cause said processor to perform the following: wherein the received request for the secure session identifies the hostname; and determine that the hostname identified in the received request matches the hostname identified from the first predefined portion of the destination network address.
Unknown
February 28, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.